My friends over at the VMware Security Blog posted an article yesterday that the Security Hardening Guide for vSphere 4.1 has been released. Coiincidentally Richard Garsthagen posted an article about all the ESX/ESXi hosts he found directly attached to the internet, I guess you could say that that goes against every best practice out there. But that is not entirely the reason for this article. I wanted to point out an excellent script by William Lam that assesses your environment based on the recommendations made in the Security Hardening Guide and produces a nice report with a scoring card.
The script is currently based on the following revisions of the vSphere 4.x Security Hardening Guide:
Console OS (for ESX)
While going through the COS/HOST and VM documentation, I noticed there were quite a few checks that might benefit from having a script to validate the guidelines and that was the motivation for this script. Not all sections can be validated using the vSphere APIs and will require some manual validation and I've seperated the types of passes whether it's a fail, pass or manual (which requires user intervention).
The script allows you to run a subset of the checks and against different type of validation (ENTERPRISE,DMZ or SSLF). Upon completion, a report is generated including a grade for your environment.
So if you are serious about your virtual infrastructure, read the paper / run the script and make the changes where appropriate and desired to improve the security! Before I finish this post, major thanks to people like William Lam who spent an insane amount of their free time to develop scripts like these for the community. Thanks William, VMware truly appreciates all the work you and others are doing!